Earlier this year, we reported on the potential breeding ground for litigation under Illinois’ Biometric Information Privacy Act (“BIPA”).  A recent decision from an Illinois state appellate panel on the different limitations periods that apply to BIPA provides guidance for companies faced with a BIPA lawsuit and the arguments they can make on a motion to dismiss.

In Tims et al. v. Black Horse Carriers, Inc., plaintiff Tims, defendant’s former employee, brought a class action lawsuit against Black Horse Carriers, Inc. under BIPA, alleging defendant violated sections 15(a), (b), and (d) of BIPA when it used fingerprint scanning in its employee timekeeping.  Black Horse Carriers moved to dismiss, arguing that the complaint was filed outside the one-year limitation period of section 13-201 of the Illinois Code of Civil Procedure, which applies a one-year limitation period for “[a]ctions for slander, libel or for publication of matter violating the right of privacy.”  Tims argued that the five-year limitation period in section 13-205 for “all civil actions not otherwise provided for” of the Code applies because section 13-201 only governs privacy claims with a publication element.

The trial court denied Black Horse Carriers’ motion to dismiss, holding section 13-205 applied to an alleged BIPA violation.  While the trial court denied defendant’s motion for reconsideration of its motion to dismiss, the court certified the following question on appeal: does the limitation period in section 13-201 or section 13-205 apply to claims under BIPA?

The appellate panel held that “section 13-201 applies to public disclosure of private facts, appropriation of the name or likeness of another, and false-light publicity.”  Accordingly, section 13-201 does not encompass all privacy actions, but rather only those where publication is an element or inherent part of the action.  Turning to BIPA, the panel held that a party could “violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting, and protecting biometric data.”  However, a plaintiff could bring an action under any of these sections without alleging or proving that the defendant “published or disclosed any biometric data to any person or entity beyond or outside itself.”

Conversely, “publication or disclosure of biometric data is clearly an element of an action under section 15(d) of the Act, which is violated by disclosing or otherwise disseminating such data absent specified prerequisites such as consent or a court order.”  Similarly, section 15(c)’s prohibition on “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” biometric data includes the “publication, conveyance, or dissemination of such data.”

Accordingly, the panel held that section 13-201 governs actions under sections 15(c) and (d) of BIPA – claims based on unlawful profiting or disclosure.  Section 13-205, on the other hand, governs actions under sections 15(a), (b), and (e) of BIPA – retention policy, informed consent, and safeguarding claims.

The panel concluded that each subsection of BIPA imposes “separate and distinct” duties and a plaintiff can potentially “collect multiple recoveries of liquidated damages.”  Given that the panel’s ruling was limited to the certified question; however, it is unclear the weight other courts will give to the panel’s statement on recovery.  Companies should keep an eye out for the Seventh Circuit’s decision in Cothron v. White Castle, No. 20-3202, which will decide whether each scan of an employee’s biometric information is a separate violation of BIPA sections 15(b) and (d), and thus when a BIPA claim accrues for purposes of applying the limitations periods determined in Tims.